Cybersecurity is now the top spend item on the technology investment list. In 2022, 88 percent of boards say that cybersecurity is a business issue, not a technical one. Unfortunately, boards have no idea how to govern cyber as a business issue and executives have no idea how to guide cyber investment as a business issue.
Bottom line, no one can explain the business value of security, so we canât have an adult conversation about business-led investment in cybersecurity. And the world is in a very bad place because of that. We continue to treat security like magic and cybersecurity people like wizards who cast spells to protect our organisations.
Cost and value are the levers that drive every business. They also drive missions in government and national defence. Every organisation invests resources, time, money and people to achieve SOMETHING. Chief Financial Officers (CFO) are the stewards of this investment. CFOs need to see value for money.
Value in security should be measured as levels of protection delivered, not the implementation of tools or the creation of capabilities. That means, no one cares that you spent $2M on an SEIM, they care that itâs delivering the value for which it was intended.
If we can measure how the value of cybersecurity increases when we increase our investment, we can answer key questions like âshould we spend more on cybersecurity?â.
If we can demonstrate the impact on security when we decrease investment, we can answer other key questions like: âIs it OK to cut costs in security?â Every seasoned CISO has experienced the reality of an across the board budget cut and the struggle to express the impact of such cuts on cybersecurity readiness.
How to Measure Cybersecurity Value
Gartnerâs construct for outcome-driven metrics (ODMs) is ideal to measure cybersecurity value. ODMs measure a direct line-of-sight to protection levels (value) expressed as an operational outcome. For example, ânumber of days to patch critical systemsâ is an ODM for threat and vulnerability management. It is both an operational outcome in which we can directly invest, and it has a direct line of sight to the value proposition of patching which is to reduce the amount of time that vulnerabilities are available for exploitation.
Gartner has more than 100 outcome-driven metric examples across more than a dozen control classes that all share the same characteristics for measuring value delivery. They represent operational outcomes with a direct line of sight to the protection levels (value) created by the controls they measure.
Establishing a New Standard of Due Care in Cybersecurity
If you understand the value of current cybersecurity investments, we can establish a standard of due care thatâs defensible to our key stakeholders such as shareholders, regulators, customers, and partners. A standard of due care is a powerful concept to determine whether a person or an organisation is liable after a cybersecurity incident.
It means organisations will not be assumed to be at fault just because they got hacked. Having such a standard will incentivise appropriate investments and the execution will lead to improved protection levels globally.
Measuring and reporting cybersecurity value delivery and establishing a standard of due care accrues many benefits and shifts the landscape in cybersecurity investment and board governance.
Align Cybersecurity to Business Outcomes
Although many in the Gartner client base would claim they already align their security programs to their business, Iâm speaking of a much higher bar of execution than is present today. One where cybersecurity investment (cost) and value delivery (levels of protection) are aligned to specific operating units, business functions, product lines, etc.
When you can direct cybersecurity investment in a business context, you can then direct investment and value (levels of protection) to different parts of the business. For example, in a power generation company, a nuclear power plant needs higher security than a coal-fired plant.
In many highly regulated industries, to establish defensibility to the key stakeholders, regulated parts of the business need higher protection (value) than less regulated parts of the business.
Aligning to business outcomes also closes the gap in executive communication. You can demystify cybersecurity by putting it in a business context to better enable board engagement and governance.
All of this supports a primary directive in cybersecurity which is to balance the needs to protect with the needs to run the business. We can now choose cybersecurity investment based on specific business requirements.
Create Defensibility with Your Key Stakeholders
While the concept of stakeholder defensibility may feel fuzzy to many of you, let me make this extremely real. Your stakeholders for cybersecurity are your regulators, shareholders, customers, and partners.
Through good stakeholder defensibility, you can better manage your regulators with a proactive, defensible risk posture that will, in turn, reduce value-killing MRAs. A Management Requires Attention (MRA) notice is a finding issued by financial service regulators that effectively means âfix this, or we shut you down.â Every industry regulator has its equivalent to MRAs.
MRAs are value-killers because they have board-level attention and usually create an all hands on deck approach to fixing it. That means the organisation stops focusing on value delivery and pours investment into fixing the issue.
Regulators arenât focused on business value delivery, so they donât really care what impact their findings have on your business. Getting out ahead of your regulators with a defensible risk posture reduces these occurrences. It also accommodates more flexibility and business opportunities when your regulators trust that youâre managing risk effectively.
Shareholders need confidence that your cybersecurity protection level (value) is sufficient to warrant their belief that your organisation is a good investment. Customers also need to have the confidence to do business with you. A defensible risk posture means shareholders and customers have visibility into your protection levels. This makes the assertions on your website that your plan to ensure customer security and privacy extends to more than empty promises.
Partners also need to have the confidence to work with you. Third-party risk assessments and governance have been rising for 10 years and you need to get serious about demonstrating that you have the right levels of protection. The bottom line here is to protect your supply chain by ensuring your partners are sufficiently protected, and to ensure that the supply chains of organisations that rely on you are also protected.
Protection Level Agreements Establish Due Care
Establishing care is accomplished through Protection Level Agreements. PLAs are business decisions to invest in measurable levels of protection that drive cost and can be compared to achieved levels of execution. For example, choosing 30-day patching at a projected cost of $1M/year is a PLA. PLAs are operational targets for key controls that represent desired levels of protection (value). These are concrete assertions of risk appetite on a measurable scale.
There are a number of moving parts to the governance and decision making that PLAs enable which will be covered in future posts. For the purpose of establishing care, these are the important elements:
- 7-day patching is more expensive, higher value, and higher protection than ⊠30-day patching which is less expensive, lower value, and lower protection.
- The benefits of 7-day patching vs 30-day patching are observable with another ODM that measures the 12-month rolling average of security incidents related to unpatched vulnerabilities. Are you experiencing a reasonable number of incidents based on your chosen level of protection and investment?
Are your PLAs and execution defensible?
- Peer comparisons can be made through benchmarks. Are you at least as good as your peers?
- Regulators can set required levels of protection. Are your choices and ability to execute within your regulators demands?
- Internal audit can determine if you are hitting your desired levels of protection. Are you executing consistently?
Once care is established and within tolerances, then defensibility can be established. Using our example of a 30-day patching PLA, the exploitation of a vulnerability that is 35 days old is outside the PLA and not defensible. Its recognition that you failed to execute on a desired level of protection.
However, the exploitation of a vulnerability that is 25 days old is defensible because it is the result of a business decision to invest in 30-day patching and to accept all hacks that happen within 30 days of patch availability.
Absorb Inevitable Attacks and Incidents Defensibly
âThere is no such thing as perfect protectionâ is not a platitude. Most board members will nod and smile when you say this, but that doesnât mean they understand it on visceral level that changes the way they approach cybersecurity investment. Today, most are still going to blame the security and IT people when something goes wrong.
incidents and attacks happen every single day. When you suffer a material incident and your executives get involved, PLAs create a new mechanism for defensibility.
Defensibility is based on all your decisions and investments that PRECEDE a material incident. Those who made good, defensible decisions should get a pass. Those who are arguably âasleep at the wheelâ should get commensurate consequences.
In 2019, Capital One was (and is) a recognised leader in native cloud security which created a measure of defensibility even though they suffered a material cybersecurity attack. Arguably, mistakes were made, and execution struggled around the time of the incident, but it still required a sophisticated hacker with arguably inside knowledge to compromise their systems. Their result was a $190M settlement, an $80M fine, and their CISO was replaced.
In 2017, Equifax suffered a material cybersecurity attack, but according to congressional testimony, they did not have a defensible position. The report concluded âEquifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.â Another material conclusion was âEquifaxâs CEO did not prioritise cybersecurity.â Their result was a $575M-$700M settlement while the CEO, CIO, and CISO all left the company in the wake of the incident.
Although suffering similarly damaging attacks, Equifax suffered twice the costs and the loss of 3 executives, including their CEO, compared to Capital One. I envision a world where executives can make defensible cybersecurity investment decisions and are judged by their defensibility. This is possible with transparent, measurable cybersecurity value delivery metrics outlined in PLAs.
With PLAs your stakeholders have a transparent view to judge your defensibility and to act accordingly.
- Regulators levy fines or not
- Customers leave you or stay
- Shareholders sell your stock or increase their investment
- Partners choose to work with others or stay with you
- âŠAnd all of them influence if the CEO, the CIO, and the CISO stay or go.
Create a Safer World
This changes everything about the handling and treatment of cybersecurity investment, executive expectations, and stakeholder defensibility. It combines the defensibility of your original PLA decisions with the defensibility of your execution.
Treating cybersecurity in this manner will lead to better cybersecurity investment decisions, better execution, and a safer world.
Paul Proctor is Distinguished VP Analyst for Gartner. This article is republished with permission f Gartner
Gloss